Set up SSL/TLS with StartSSL

From UNPM.org Wiki
Jump to navigation Jump to search

StartSSL offers free SSL certificates that most browsers accept as a trusted Certificate Authority (CA). This means that sites served using StartSSL certificates will not draw any warnings from nearly all popular browsers when using the subdomains established for the certificate. In addition, StartSSL certificates support Server Name Indication (SNI), an extension of TLS that allows accepting more than one certificate from one IP address.

This article explains how to configure SSL/TLS with StartSSL on a UNPM server.

Virtually every step in this article requires root level access: 

username@servername:~$ sudo /bin/bash


Create domain key set

Installing the domain's key set is an important step in the process. It is important to guard this key as it will be used to encrypt the data transmitted in https sessions.

Create the private key set and signing requests

Create the directory that the key will be stored. Each domain will have its own key and associated certificates, which should be put into respective directories. The password for the key can be very complex as it will very rarely be entered. Just don't forget it. 

root@servername:~# mkdir -p /etc/ssl/private/example.com
root@servername:~# openssl genrsa -aes256 -out /etc/ssl/private/example.com/server.key 4096
root@servername:~# openssl rsa -in /etc/ssl/private/example.com/server.key -out /etc/ssl/private/example.com/server.key.insecure
root@servername:~# mv /etc/ssl/private/example.com/server.key /etc/ssl/private/example.com/server.key.secure
root@servername:~# mv /etc/ssl/private/example.com/server.key.insecure /etc/ssl/private/example.com/server.key
root@servername:~# chmod 400 /etc/ssl/private/example.com/{server.key,server.key.secure}
root@servername:~# openssl req -sha256 -new -key /etc/ssl/private/example.com/server.key -out /etc/ssl/private/example.com/server.csr

Note that these steps should be performed precisely, as they are crucial to the proper function of the CA certificate. Once StartSSL has issued a certificate, they will not revoke it without upgrading to Class 2 ($59.90) and charging a revocation fee ($29.90).

Using a different key for each domain allows for the moving of a domain to a different server without having to get a new CA certificate and without duplicating a private key being used for other domains, which would be a potential security risk should one of the servers be compromised.

At this point, it is a very good idea to backup the server's image or save the private keys in a separate, trusted location. If the keys are somehow lost, the associated certificate issued by StartSSL could no longer be used, thus requiring the above stated fees to recreate a certificate for the domain.

Obtain and install the StartSSL Class 1 certificate

Create an account with StartSSL

Create an account with StartSSL. StartSSL uses certificate login. This certificate is installed into the browser and used to log users into the site.

After setting up the account and logging into the site, use the 'Validations Wizard' to validate the domain. To validate the domain, StartSSL will use the email address in the domain's whois record or a few specific email addresses (webmaster@example.com, postmaster@example.com, or hostmaster@example.com). For owners of domains using privacy protection, it will be required that the privacy protection service provider forward the email if the whois email address is desired for use. Most popular registrars immediately forward emails sent to privacy protected email addresses.

Obtain the certificate

After completing validation, under 'Certificates Wizard' select 'Web Server SSL/TLS Certificate'. Choose 'Skip' for the first step, 'Generate Private Key'. Now get the CSR from the server. 

root@servername:~# nano /etc/ssl/private/example.com/server.csr

Highlight and copy absolutely everything from -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----. Paste this into the field on the 'Submit Certificate Request (CSR)' page and click 'Continue'. If StartSSL does not accept the pasted CSR, try pasting into a text editor on the local device to make sure it has been copied to the clipboard correctly.

Select the domain and click 'Continue'.

The free StartSSL certificates ('Class 1') are only valid for the domain, https://example.com, and one subdomain. Those desiring to use more than one subdomain will either have to deal with browser certificate warnings or purchase a 'Class 2' certificate, currently $59.90, which has the bonus of being applied to as many domains and subdomains as desired.

Note that using any subdomain other than www will cause browser certificate warnings in some browsers, alerting users that the certificate is unusual because there is no www subdomain in the certificate, even when the user is navigating to the StartSSL approved subdomain for the certificate.

StartSSL will inform users to wait for their verification email, however, this email often comes long after the domain has been verified. Note that domains 3 days old and younger will not be verified.

On the StartSSL website, go to 'Tool Box', 'Retrieve Certificate, select the domain and click 'Continue'. Highlight and copy everything from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- then paste into the new file server.crt: 

root@servername:~# nano /etc/ssl/private/example.com/server.crt

Create the nginx unified certificate for the StartSSL Class 1 certificate

Add the StartSSL CA certificates to the server and create the domain's nginx unified cert. The StartSSL CA certificates (including the ca-bundle, which may be needed for other SSL usage), will be put into a StartSSL directory. This is convenient when using more than one CA. 

root@servername:~# mkdir /etc/ssl/private/startssl
root@servername:~# wget -O /etc/ssl/private/startssl/startssl-ca-bundle.pem https://www.startssl.com/certs/ca-bundle.pem
root@servername:~# wget -O /etc/ssl/private/startssl/ca.pem https://www.startssl.com/certs/ca.pem
root@servername:~# wget -O /etc/ssl/private/startssl/sub.class1.server.ca.pem https://www.startssl.com/certs/sub.class1.server.ca.pem
root@servername:~# cat /etc/ssl/private/example.com/server.crt /etc/ssl/private/startssl/sub.class1.server.ca.pem > /etc/ssl/private/example.com/ssl-unified.crt

New StartSSL certificates

Startcom will, from time to time, update their own certificates. It is important when renewing domain certificates to determine if the renewed certificate will require new Startcom certificates. When new Startcom certificates are required, they may simply be placed in a new directory, such as /etc/ssl/private/startssl2/.

Add SSL/TLS to the sites-available file

Configure nginx for SSL/TLS and enable.

Edit nginx.conf and create HTTPS server file

Edit nginx.conf. 

root@servername:~# nano /etc/nginx/nginx.conf

Add at the bottom of the http block: 

       ssl_session_cache shared:SSL:10m;

The HTTPS server file will include the common settings for SSL/TLS in an HTTPS server block. 

root@servername:~# nano /etc/nginx/global-configs/https_server.conf

Add to the file: 

location ~ /\. { access_log off; log_not_found off; deny all; }
location ~ ~$ { access_log off; log_not_found off; deny all; }

location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { allow all; log_not_found off; access_log off; }

ssl on; 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM; 
ssl_prefer_server_ciphers on; 
ssl_ecdh_curve secp521r1;

Add HTTPS server block to sites-available file

Open the sites-available file and add the HTTPS server block. 

root@servername:~# nano /etc/nginx/sites-available/example.com

Add below the HTTP server block:

# HTTPS server

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    root /var/www/example.com/public;
    access_log /var/www/example.com/logs/access.log;
    error_log /var/www/example.com/logs/error.log;
    server_name www.example.com;
    include global-configs/https_server.conf;

    ssl_certificate /etc/ssl/private/example.com/ssl-unified.crt;
    ssl_certificate_key /etc/ssl/private/example.com/server.key;

    location / {
        try_files $uri $uri/ =404;
    }
}

Test then restart nginx. 

root@servername:~# nginx -t
root@servername:~# service nginx restart

Navigating to https://example.com (or https://subdomain.example.com) should load /var/www/example.com/public/index.html in a secure session.

Note that if the the local device's ISP has not yet updated to the new DNS records for the server, entering the IP address of the server should bring up the page, but with the browser's certificate warnings. Proceeding through these warnings should allow the user to view the certificate and verify its settings are correct. Presumably, once the DNS records have updated, the certificates should function normally.

Install ntp

The ntp package maintains the system clock instead of having only the default method for time synchronization, ntpupdate, which runs only once, when Ubuntu starts up. It is important for the clock to be synchronized because, theoretically, if a server goes a long time without being restarted, or a motherboard battery failure causes system clock malfunctions, it may end up having issues with the certificate authority. 

root@servername:~# aptitude install ntp

Common configurations

The HTTPS server block is just as configurable as the HTTP server block, but some configurations are commonly desired by adminstrators.

Require location to load in HTTPS

To require a file or directory to load only in HTTPS, perform the following. 

root@servername:~# nano /etc/nginx/sites-available/example.com

In the HTTP server block, add the following: 

    location ^~ /path/to/directory/or/file {
        return 301 https://$server_name$request_uri;
    }

Require subdomain or site to load in HTTPS

To require a subdomain or site to load only HTTPS, perform the following: 

root@servername:~# nano /etc/nginx/sites-available/example.com

Add the following server block: 

server {
    listen 80;
    listen [::]:80;
    server_name subdomain.example.com;
    return 301 https://subdomain.example.com$request_uri;
}

Next step

Install PHP, that oh-so-popular server-side scripting language.

External links

Securing your webserver with SSL/TLS | Ars Technica

How to obtain and install an SSL/TLS certificate, for free | Ars Technica

Certificates and security | Official Ubuntu 12.04 Server Guide

StartSSL

SSL Labs SSL Server Test

Guide to Nginx + SSL + SPDY | Dogtown | MARE system Kie

SSL ciphers, disable or not to disable RC4? | nginx.org forums mailman

Retrieved from "http://www.unpm.org/wiki/index.php?title=Set_up_SSL/TLS_with_StartSSL&oldid=447"